5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
38.8%
ExpandableDetailsNote
allows annotating build log content with additional information that can be revealed when interacted with.
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the caption
constructor parameter of ExpandableDetailsNote
.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide caption
parameter values.
As of publication, the related API is not used within Jenkins (core), and the Jenkins security team is not aware of any affected plugins.
Jenkins 2.424, LTS 2.414.2 escapes caption
constructor parameter values.